CISA reports that its first ever cybersecurity shared services offering is off to a hot start.
The Cybersecurity and Infrastructure Security Agency reports its shared service for vulnerability disclosure has helped participating agencies uncover and address more than 1,000 bugs that could have been exploited by hackers.
CISA launched the Vulnerability Disclosure Policy (VDP) Platform in July 2021. Since then, 40 agency programs have joined the platform and received more than 1,300 “validated” vulnerability submissions from researchers through December 2022, CISA writes in its first report on the VDP Platform.
Agencies remediated 84% of the reported bugs, with an average remediation timeline for 38 days.
“CISA urges FCEB agencies to review the VDP Platform 2022 Annual Report and encourages use of the platform to promote good-faith security research if they are not already doing so,” the agency wrote in an alert today. “By promoting an agency’s VDP to the public security researcher community, the platform benefits users by harnessing researchers’ expertise to search for and detect vulnerabilities that traditional scanning technology might not find.”
In a September 2020 binding operational directive, CISA told agencies to develop and publish a VDP to allow good-faith security research on all internet-accessible systems or services. The cyber agency also directed them to establish channels for accepting reports, communicating discoveries, and remediating any bugs.
CISA set up the shared VDP Platform service after discovering many agencies lacked formal mechanisms for vulnerability disclosure. The CISA platform is supported by security research company Bugcrowd and cybersecurity firm EnDyna.
Out of the more than 1,300 reports that were found to be valid disclosures, CISA reports that 192 were “critical” vulnerabilities considered to be among the most dangerous, serious bugs. Eighty-two were “severe” vulnerabilities, while 757 were considered “moderate” and 299 considered “low/informational.”
CISA in its report argues the VDP Platform offers agencies “significant cost and time savings,” pointing to the IBM and Ponemon Institute finding that the average cost of a breach in 2022 was $4.35 million.
“These vulnerabilities exist on FCEB systems regardless of whether they are discovered, and the more vulnerabilities disclosed through the VDP Platform and remediated by agencies is a net positive,” CISA writes.
The use of bug bounties — when agencies specifically pay researchers to find vulnerabilities — is voluntary under the CISA VDP platform. CISA reports that bug bounties “tend to draw elite researchers” since financial compensation is in play.
The Department of Homeland Security launched a “Hack the DHS” bug bounty program that allowed researchers to probe 13 DHS systems for vulnerabilities. They uncovered 235, including 40 “critical” bugs, with payouts totaling $329,900.
And when the open source software “Log4J” vulnerability hit the world in late 2021, DHS launched a separate bug bounty to find any instances of the critical bug on its networks. The Log4J example shows “the flexibility of the VDP Platform,” CISA writes in its report, while “laying a path for other agencies to follow for future widespread vulnerabilities.”
The VDP Platform also represents the first offering for agencies through CISA’s Cybersecurity Shared Services Office. The agency recently forecast that it expects to see a “big jump” in voluntary adoptions of its cyber shared services through the end of fiscal 2024.
Progress on the use of CISA’s VDP Platform comes as Rep. Nancy Mace (R-S.C.) proposes legislation that would require federal contractors to also adopt vulnerability disclosure policies in line with what agencies are required to have in place. Mace is chairwoman of the House Oversight and Accountability Committee’s cybersecurity, information technology and government innovation subcommittee.
“By mandating Vulnerability Disclosure Policies (VDP) for federal contractors, we can ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly,” Mace said in a statement.
The use of vulnerability disclosure is increasingly seen as a cybersecurity best practice. The Office of Management and Budget in 2020 set out a government-wide policy for the use of VDPs to ensure ethical hackers could report bugs in public facing systems without fear of reprisal, while ensuring agencies had the wherewithal to address the vulnerabilities.
“VDP programs can be pretty low cost and I think far more cost effective than a lot of other places where you could put your cybersecurity dollars,” former federal chief information security officer Grant Schneider said.
The Defense Department was the first agency to adopt vulnerability disclosure when it launched a major bug bounty program called “Hack the Pentagon” in 2016. DoD has extended its VDP program to some defense contractors under a voluntary pilot project.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED